Missing authorization in Prospero Flow CRM allows low-privileged users to read all bank accounts
Description
Missing Authorization (CWE-862) in BankAccountListController (app/Http/Controllers/Api/BankAccount/BankAccountListController.php), exposed at GET /api/bank-account, in Prospero Flow CRM <5.5.3, which allows a remote, authenticated low-privileged attacker (for example, the "User"/"Usuario" role) to read all bank account records belonging to their company by sending an authenticated request to the endpoint, because the API route is protected only by the auth:api middleware and enforces no permission check (unlike the equivalent web route, which requires can('read bank')), and the handler retrieves records with Account::where('company_id', Auth::user()->company_id)->get(), performing only company scoping and no role or permission check before returning the data. This results in the unauthorized disclosure of sensitive banking information (IBAN, SWIFT/BIC, and account identifiers) to users who should not have access to it.
Vulnerability type (CWE)
CWE-862: Missing Authorization
Affected versions
Prospero Flow CRM after 4.6.0 and before 5.5.3. The vulnerable endpoint was introduced after 4.6.0 and fixed before the 5.5.3 tag, so no tagged release shipped vulnerable. Default status: unaffected.
Score (CVSS 4.0)
High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Solution
Upgrade to version 5.5.3 or higher.
Patch
Commit 57bb5721
Credits
- David Moreno Urbanos - finder
- YoyoDavelion - finder
- Xoán M. Otero Jorge - analyst
- Cristian Fernández Cornejo - analyst
- Secur0 CNA - coordinator
- Gustavo Novaro - remediation developer Discovery source: External Official record: CVE-2026-59235